Author: Mike O'Connor

I decided to compare some digital recorders for the purposes of recording soundscapes here at Prairie Haven. I’ve got two of them, bought at different times for different purposes and I was curious to see how much different they were and whether it was worth carrying one of them instead just using my phone. The nice thing about the phone is that it’s with me all the time, but I’d start carrying one of the others if they were better.

The contestants

Apple iPhone 6s — this is what I’ve used to record most of the soundscapes here. It’s always available, dead simple to use, but it’s mono and doesn’t pretend to be anything fancy.

Sony ICD-SX712 — a handy digital recorder for meetings, stereo.

Tascam DR-40 — a fancier digital recorder I bought as a “logging” recorder for music-studio stuff, also stereo.

The process

I sat on the porch after the Evening Walk tonight, plunked all three recorders down on the table and hit the record button on all three. I took the resulting digital audio files and trimmed them down to the same 10 second “scene” and made them the same loudness. Two of the recorders are stereo and for fairness I only used one channel of their recordings so all of these are mono. All three of them can be heard on this 30 second MP3 recording.

Listen to the samples and compare the results.

If you really want to play along, you will play this sample and decide which you like without decoding which one is which. Here are the three test clips.

Intro

Exactly five years ago today, I published this little rant about the growth rates projected for the new “generic top level domains” that were being introduced by ICANN at the time. You know, domain names that end in things like .run or .lol or .bot (yep, those are all real alternatives to .com or .org if you’d like to strike out into new territory).

I decided to update it with the way things have turned out.

Original post – March 7, 2014

I was reading the Appendices of a recent ICANN report when I came across an interesting assumption built into their analysis. The boffins that did this portion of the study are projecting 22% annual growth in total domains for the next five years.

The thing that struck me was that whopping 22% annual growth rate. Partly this is due to some pretty optimistic assumptions about the growth in the number of new gTLDs (I’m willing to bet any money that the beginning of 2015 will not see 200,000 gTLD domains in the root). But leaving that aside, 22% year over year growth isn’t something we’ve seen since pre-bubble glory days.

Here’s a little chart I put together to show you the history. We’re running about 4% growth right now. A long way from 22%. If I were building budgets for ICANN, I’d be seriously researching where these projections are coming from and applying a pretty serious quantity of cold water. Just saying…

UPDATE: March 7, 2018

I decided to update this post given that we’re at the end-point of that projection that caught my eye (start of 2018). Here’s my last version, as of the end of 2017 – the first two chunks are the same, the reddish one is what happened.

I think this falls in the “not even close” zone. New gTLDs never approached 22% a year growth and no new rounds of gTLDs have been added since the first batch of 1000 or so hit. Yep, toward the end, the growth rate was headed for negative territory as lots of the aggressive “first year for free” domain names weren’t renewed. The world needs a zillion new subsequent-round gTLDs exactly… why?

Notes to the nit-pickers:

The assumptions were in a scoping study done by IBM to determine how much a system would cost — so these numbers could have been pretty old, given how long the EWG had been running. I worried at the time that ICANN was using similarly optimistic numbers in their budget projections. Looks like they did, as they’re in retrenchment mode right now.

These numbers do not include ccTLDs (since IBM didn’t)

Verisign was quite far behind in publishing their quarterly statistics reports, so I finished up with RegistrarStats data. No warranty expressed or implied, especially since the site was decommissioned just as that annual growth rate started to approach zero.

Here’s a link to the 2018 version of the file that creates the charts. The payday tab is the first (far left) one — cleverly-named “Sheet 1” — which contains the data, the calculations and the charts. Warnings. The layout is ugly, the documentation is sparse. The “Notes” page has URLs for the data sources although they may not work any more. The rest of the tabs are (some of) the (erratic, sortof-monthly) downloads from RegistrarStats. Click HERE for the file (about 1 mByte).

We were provided instructions and a voice track (narration and character-dialog) by an imaginary director who is looking for a score for romcom trailer. The “director” set a one-week deadline! I sweated this one a bit, given that this is also Fall Projects season here at Prairie Haven.

Pretty darn cool challenge. This was by far the most complex mix I’ve done in quite a while, 26 tracks across 13 scenes (in 2 minutes!).

Definitely a narrow-audience scratchpad post. We love our electric Polaris Ranger EV utility vehicle here at Prairie Haven. But putting water in the batteries is not a lot of fun. Messy, tedious, slow, etc. So today’s project was to put a battery watering system in.

UPDATE UPDATE: ONE YEAR LATER

Everything is fine and we still heartily endorse this gizmo. Battery watering now happens once a month.

Winter tip (and correction): We do water the batteries in the winter after all. I use the EV to plow snow which is pretty tough on the batteries and makes them use more water than in the summer. It works fine in winter, but here’s the tip — don’t do this when the EV has been below freezing for a while. Sometimes the couplers freeze. It’s easier just to wait for a few days of above-freezing temps in the garage than it is to coax the couplers into doing their thing when they’re frozen.

We did forget to charge the batteries before we watered them once. THAT was a pain the neck because we had to go back to the “old way” of watering to siphon off the water at the top of the batteries. Never again! We’ve added this handy reminder-sign to the business end of the filler hose so we’ll never forget again.

UPDATE: one month later and the results are in

Wow. This is a complete success. We just watered the batteries for the first time and several things stand out. First, the batteries required dramatically less water — only a few ounces on each bank of four batteries. Second, the batteries didn’t require any cleaning because there was no spillage at all — unlike before where the battery tops were always covered with battery acid and needed extensive work before starting to do the watering. Third, as a result the job only took 5 minutes instead of the 3 hours we used to spend. Pry these out of our cold dead hands. Now, back to the original post…

Project start: 3pm

Standing on the driver’s side. There’s the diagram of the finished system (see below), an example of the gizmo that’s going to go into the batteries, the battery compartment and the really-useful ratchet box wrench for loosening the battery hold downs.

Bag of watering gizmos

The kit came disassembled, which I really liked because we only needed to loosen the battery hold downs, not take them off. We could thread the hoses under the hold downs and wires before hooking them to the watering gizmos.

First couple watering gizmos

We picked the easiest ones to learn on (the hardest ones are at the back – you owners already know this). Having the hold downs loose was helpful for wiggling the gizmos in, but the breakthrough came when we started twisting the lockdown handles of the battery caps a bit. The little handles are what really collide with the hold downs, twisting them out of the way made a big difference.

Cutting and installing the tubing was easy — we mostly used the measurements on the diagram, especially the 8-inch lengths. Some of the longer runs (10-14 inches) had to be custom measured because the diagram didn’t match the layout of our batteries. We’d just stick one end of the tube on, hold it close to its destination and then snip it to fit. We wound up with about a foot of tubing left over, but we were prepared to steal some from the water hook-up hoses if we ran short.

It goes a lot faster with two people splitting the tasks

Here’s Marcie dropping gizmos into the batteries. It’s way more than twice as fast when two people can each be concentrating on half the job at hand. Otherwise there’s lots of changing position/tools.

All done: 5pm

This is the way the finished product looked. This is the first side, just to keep things straight. The whole project took a couple hours and we could do it much faster now that we’ve done it once and learned some tricks.

Layout diagram

I know, the copyright notice is pretty intimidating — but hey, this diagram’s on their web site for all to see. Here’s the link to their site:

You also need the little squeeze-bottle filler that drops into a gallon of distilled water.

Results: The next morning

We watered the batteries (and cleaned them) this morning, remembering to charge the batteries before filling them. What used to be an “all morning project” was a short job that fit in before Marcie headed off for her real all-morning project.

Here’s an action shot — showing off my battery-watering pants. They’re more like a battery-watering apron these days. I think they can now be retired.

We splurged and spent a few minutes cleaning the batteries so they’d look spiffy for this final photo. Compressed air to spray off the debris, liberal dose of battery cleaner, rinsed them off with the hose and another round of compressed air to dry things off.

We were wondering if we’d be able to tell when to quit pumping water and accidentally overfill the batteries. No worries there — the little squeeze bulb just quits, we could both feel the really abrupt transition to “no more room” as we went to full-batteries. Those little floating shut off valves work great.

Today’s watering took about a gallon of water (pretty normal) and 15 minutes (pretty nifty!).

I talked to the folks who sold us the kit about what to do in winter. My main concern was that trapped water would freeze and rupture the tubing. They told me that the water finds its way into the batteries as the water level drops enough to open those valves back up. My plan is not to water the batteries in winter, just to play it safe.

We’ve been noticing that the Ranger has been pretty tough on our trails here at Prairie Haven. Our pet theory is that the EV (plug in electric) version of the Ranger is quite a bit heavier than a normal one and that the standard (narrow, aggressive-tread) tires add to the problem.

The Mission: wider tires for the Ranger EV

We’ve just mounted four Carlysle 25x11x12 Multi-Trac (574369) turf tires . These are a little wider than the standard tires and have a much less aggressive tread pattern. Here’s Marcie on her test drive — early returns are positive.

You can see that the footprint is much wider than the standard tires if you click on the picture and look at where the tires are dirty from Marcie’s 200 yard test drive. I think these may be a little over-inflated as well. Taking them down to about 7 psi may improve this even more.

The Tricky Bit: front fitment

The back tires are just mounted on the standard rims. They’re a little too wide for the rims so we added inner tubes (we’d already done that to the stock tires, so those just moved over to the new ones).

The front tires are also mounted on the stock rims, but they need spacers to clear the suspension. You can track down the 2-inch spacers we used by including “WP024” in your search for 2-inch spacers for a Ranger ATV/UTV. Four of them (we only used two) will cost about $100 on Amazon/eBay. Here’s what they look like on our Ranger.

Pro tip – my half-inch-drive sockets were too big to drive the spacer’s lug nuts: The lug nuts that come with the spacer need an 11/16 or 17mm deep socket and they reside at the bottom of deep wells in the spacer (take a look at the first photo — the empty holes are the wells I’m talking about – there are lug nuts at the bottom). 1/2-inch drive sockets are too big/thick to insert into those deep wells. I bought a 3/8th-drive, 11/16ths, deep socket at the hardware store that fit fine. Take the spacer along on the shopping trip — all this will make more sense once the spacer (and the lug nuts that come with it) are in your hands.

Here’s how it looks with the tire mounted…

The key clearance is between the tire and the front suspension. Mounting them without spacers doesn’t quite clear. Here’s a picture showing the clearance now that they’re mounted with the spacer.

And here’s a picture that shows that the wide tires still clear the fender at full lock — by about an inch. Cozy, but not a problem for our laid-back use of the Ranger. I wouldn’t want to race on this rig.

A scratchpad post to remind myself how to configure a Kontakt instrument so that light guides and knobs will show up correctly in Komplete Kontrol. There’s a video walkthrough at the end of this post.

Here’s a picture of the destination – the light guides appear on the keyboard and Komplete Kontrol knobs are mapped to the patch in two banks.

Light Guides

Use the Factory/Utilities/Set Key Color script to set the key colors. This is saved as part of the instrument, in Kontakt.

Mapping to knobs on Komplete Kontrol

Use “host automation” within Komplete Kontrol to map knobs to controls within the Kontakt patch. These mappings are saved as user presets within Komplete Kontrol not Kontakt.

Use the Factory/Utilities/6 MIDI Controllers script to “make controls visible” if they’re not directly available for host automation. This takes two “save” actions. The script is saved into the Kontakt instrument, the host automation mapping is saved as a user preset within Komplete Kontrol.

I transferred the authoritative nameserver of a domain from Godaddy to Cloudflare and things got stuck. The NS propagated pretty well, but it never got picked up by Google or Verisign’s public DNS (check with https://www.whatsmydns.net). Since my ISP uses Google’s 8.8.8.8 server for customer DNS, I couldn’t reach my sites and mail got goofy.

The problem turned out to be outdated DS records that lingered at Godaddy after I tried their DNSSEC product, had all sorts of problems and turned it off. DS records aren’t deleted automatically in that process — they need to be deleted manually on the Domain Details/Settings tab. Who knew? Why should I have to know??

Google (and Cloudflare, the destination authoritative server) saw the outdated DS records and ruled the domain bogus. In the case of Cloudflare, it never completed the setup process (constantly rescanning the nameservers and saying “Pending Nameserver Update”).

Google’s public DNS simply wouldn’t resolve the names and returned SERVFAIL. Here’s an example of the dig command when it was failing (note the period at the end of the command).

Wings Over Alma welcomes Mike O’Connor to present:
Restoring a Prairie Haven with Renewable Power

Alma, Wisconsin Wings Over Alma Nature & Art Center is featuring another facet of the O’Connors ‘unfarming’ restoration project in Buffalo County. On Sunday, July 17, 2016 Mike will share how the farm (Prairie Haven) generates more electric power than it consumes.

Mike and Marcie O’Connor are in the process of returning an old dairy farm in Buffalo County back to the savanna and prairie that was there before the land was settled. As part of the “unfarming” restoration project they installed solar panels to meet their energy needs.

Mike’s presentation will describe their solar power system, how it works, why they installed it and preliminary financial results. The O’Connors heat their house and run their Tesla electric car, utility vehicles and smaller tools like chain saws with the solar power they generate. This is bound to be an informative presentation you won’t want to miss. Be sure to bring your questions!!

Wings Over Alma will be hosting the presentation in their new location 110 North Main Street, Alma, WI.

The event begins at 1:00PM on Sunday, July 17th and there is no cost.

Contact:

Leslie Wilkie
leslierobinsonwilkie@gmail.com
651 334-9407

About Wings Over Alma

Wings Over Alma, Inc. is a non-profit community organization seeking to enhance and promote awareness of the Upper Mississippi River environment and raise the level of regional arts and crafts appreciation.

This is a scratchpad post to remind myself how to put together a machine-learning system on a Mac. This won’t work on a PC as some of the software is Mac-only. In this configuration a WiiMote (input device) is connected to Wekinator (real time interactive machine-learning software) through OSCulator (OSC bridging and routing software). Wekinator outputs are mapped to MIDI to drive Ableton Live through another instance of OSCulator.

WiiMote to OSCulator is a built in feature of OSCulator. Open OSCulator with the 3-input template linked above. Open the sliding panel on the right side of the main OSCulator page, turn on the WiiMote, click “Start Pairing”. Here’s the way it looks when it’s working.

OSCulator to Wekinator

This first instance of OSCulator translates the motions of the WiiMote into OSC messages and pushes them to Wekinator on Wekinator’s default UDP port (6448). If you’re using the example .oscd file, this should be working now. I’ve included the mapping if you are building this from an empty OSCulator file.

If you are starting from an empty OSCulator file, here is what the Parameters page looks like in this first instance of OSCulator. If Wekinator is running, locating and selecting these entries should be available through the drop down menus.

Wekinator to OSCulator (this is the second instance of OSCulator)

The default Wekinator output port is 12000. The second instance of OSCulator (instantiated through File/New) is set to listen on port 12000. If Wekinator is running, OSCulator will pick up the Wekinator outputs and they should be displayed in the Messages column of OSCulator.

2nd instance of OSCulator to Ableton Live

OSCulator has been configured to convert the OSC messages from Wekinator to MIDI CC messages in this example. I picked those message numbers because they’re within a range (85-90) that’s generally not used by other devices.

Once OSCulator is producing MIDI, Ableton Live can be trained to apply those MIDI signals in the normal way. Turn on the MIDI Map Mode switch (blue, in the upper right corner, says “MIDI”), click on the control that should receive the MIDI signals and toggle the device on and off in OSCulator. The mappings will appear in the box on the left (under “MIDI Mappings”) as they’re added. I found it useful to turn all the devices off (untick the boxes in the left column) before starting the mapping.

Notes and Tips

I found that controls sometimes wouldn’t work. It turned out that sometimes controls were set to a higher value than the maximum value coming to them from OSCulator. So the control wouldn’t “pick up” the MIDI signal. Setting the unresponsive control (eg. “Warmth”) to zero solves that problem.

Signals coming into Live were quite jittery at first. Cranking up the “Smoothing” settings in the 1st instance of OSCulator fixed that.

A scratchpad post as I diagnose and repair an electrical fault in our Power Trac PT-1850. Pretty sparse right now, just starting.

The Problem:

Reset circuit breaker

Turn ignition on without starting motor — I get the normal beeps, flashing strobe and 12.4 volts on the gauge (normal for a 12 volt battery at rest)

Crank and start the motor

Voltage drops to around 11 volts (indicating to me that something is really pulling hard, maybe a short) and stays there for about 15 to 30 seconds, then the breaker pops and the voltage jumps up to 13.2 (pretty normal alternator-charging voltage, battery seems to be getting charged up).

With the breaker open/popped the strobe stops flashing. But tilt seat, emergency seat switch and draft control are still operational and the tractor made it back to the barn (about a mile).

Use the ignition switch to shut off the engine (which is weird because the breaker is right in front of the ignition switch in the wiring diagram, so why does it still work?)

The ignition switch is dead *after* I shut the engine off — no strobe, no beeps, no voltage on the gauge when I key it on.

Return to number 1 above

My current theory is that I have a short (first project — see if I can figure out which circuit it’s in, and where). One option is to replace the alternator (I have one coming, but at $600 I’d like to avoid opening the box if I can).

Wiring Diagrams

Here’s a PDF I got from Power Trac (which is newer than my machine and doesn’t match up as the next one – figuring out which one is right is another task for today)

Here’s an older GIF (I need to retrace my steps to figure out where I found this on the ‘net)

UPDATE: 2018

Here’s a pretty good example of how a lot of Power Trac puzzlers get solved by the gang on TractorByNet. This long thread talked all around the issue, which was eventually solved by replacing the alternator. Here’s a link to that thread.

Another scratchpad post. This one is a reminder of what I did to repair MySQL on OSX Server after the upgrade from Mavericks to Yosemite kinda broke things.

I was working to solve two problems: intermittent “unable to connect to database” errors on all our WordPress sites, and the dreaded “unable to update PID” errors when starting and stopping MySQL.

I think the “unable to connect” errors are caused by intruders trying to brute-force break the passwords on my (roughly 35) web sites. This problem can possibly be cured just by doing the “tuning” steps at the end of the cookbook.

“Unable to update PID…” type problems are more symptomatic of a broken MySQL implementation and probably require the whole process.

None of these were terrible (a system-restart every few days kept things more or less in check) so I limped along for a while after upgrading from Mavericks to Yosemite, but it finally drove me crazy and I decided to upgrade MySQL and rebuild all the databases.

The cookbook

I tried several approaches and finally landed on one which I can reliably repeat in the future (as long as the good folks at Mac Mini Vault continue to provide their magnificent script).

backup:

I used backups from all sorts of places. I thought I was being a little over the top, but things went wrong and I was really glad to have all these safety nets. Here were the backups I had available:

Time Machine backups of the /usr/local/mysql/ directory

Pre-upgrade copies of the /usr/local/mysql/data/ directory (and their Time Machine backups)

Historical (nightly) MYSQLDUMPs of all the databases (and their Time Machine backups). Use this command to write each database to a text file. I have a script that does all 35 of my databases at once, every night.

This was by far the hardest part to get right. MySQL doesn’t have an “uninstall” script and reacts badly when little odds and ends are left over from previous installations. My OSX Server has been running MySQL since OSX Lion and there was a fair amount of cruft left behind that was causing some of the trouble. Here’s my current list of things to move or remove (although not all of them will exist on any given machine):

move the old data directory (/usr/local/mysql/data/) to someplace else (yet another backup)

rename the old base MySQL directory (this is the directory with the version-number that the mysql alias points to – I renamed rather than deleted as a backup)

remove the /usr/local/mysql alias (it’s going to get recreated during the install, pointing at the new/correct base directory)

move MySQL.com out of /Library/StartupItems/

move My* out of /Library/PreferencePanes/

move My* out of your account’s /Library/PreferencePanes/ (I had two mismatched ones of these, one lurking in /Users/admin/Library/PreferencePanes that was really old)

edit /etc/hostconfig and remove the line MYSQLCOM=-YES- (If it’s still there — this was left over from the days when MySQL shipped as part of OSX Server)

remove entries for receipts for mysql in /Library/Receipts/Install-history.plist (I edited the plist with a text editor to do this)

remove receipts for mysql in /private/var/db/receipts/

remove mysql-related scripts from /Librarly/LaunchDaemons/

remove any aliases for mysql.sock from /var/mysql/, /etc/ and /private/var/mysql/ (I’ve had good luck leaving the directories in place and just deleting the aliases – ymmv)

If the Mac Mini Vault (MMV) script has been run before, here are a couple more things:

remove the MYSQL_PASSWORD item from the desktop

remove MySQL-install.plist from your /Downloads/ directory

install MySQL using the MMV script:

NOTE: the folks who maintain the script only support it for a clean install of MySQL on a freshly-loaded version of OSX. So this cookbook is OUTSIDE the bounds of what they support — please don’t complain to them if things break. Instead thank them for sharing this script publicly, and consider buying some of their services.

MySQL should now be running properly. I restarted the server to make sure MySQL started up on a reboot. I also started and stopped MySQL a few times from the command line to make sure that the “unable to update PID…” problems were solved:

I do NOT TRUST the MySQL preference-pane that is installed in OSX System Preferences and don’t use it – that may have been another source of dreaded “failure to update PID…” errors. Just sayin’

import the databases:

I chose to rebuild my databases from the nightly dumps. I tried various versions of “moving the data directory back and using the Update command” and had a rough time with all of them. Besides, rebuilding the databases for the first time in many years seemed like a good housekeeping item. I have about 35 databases — it took about an hour. Note: change all the ‘mydb’ ‘myuser’ ‘mypasswd’ to values that match your environment.

Log into mysql as MySQL’s root user:

mysql -u root -p'mypasswd'

Create the databases in mysql using this command:

create database mydb;

Create a user for each database in mysql using this command (btw Sequel Pro 1.0.2 is crashing when it creates a user — a known bug, just do it from the command line). Note: I’m assuming that you’re only using MySQL for WordPress sites like I am, and only need one user per database — this process will get a lot more tedious if you have multiple users per database.

grant all privileges on mydb.* to myuser@localhost identified by 'mypasswd';

Import the text-dump of each database into the newly-created empty one using Sequel Pro — File > Import

tuning:

Two things have really helped with the brute-force attacks. Opening up MySQL a bit and changing a setting in PHP.

To give MySQL a little more oxygen, I followed the guidelines in a sample .cnf file that came with the Mac Mini Vault script. I slightly changed the settings, mostly to make them conform to MySQL standards (I’m not sure whether this matters).

edit /usr/local/mysql/my.cnf and add these lines at the very bottom (these are just a starting point, feel free to fiddle with them a bit):

Several of my ICANN pals have asked “how are you doing??” recently and I decided to write a little blog post to make it easier to describe the current sorry state of affairs.

Basically, dropping the ICANN stuff has freed up a lot of time. What follows is a sampling of how I’m filling it.

I’ve been doing a *lot* more music. Just learning how all the new electronic instruments work, and work together, is probably a full-time thing. I’m looking forward to winter when I’ll have a bit more time indoors to get at that. But today it rained and I fooled around with some new software (Komplete Kontrol) that rolled in. This is a completely unedited snapshot of what I was doing — except this is only a couple minutes out of several hours of playing around

The farm is indeed taking up a really large part of my time right now. Spring and fall are busy seasons for me and all my machines (Marcie is busy all the time, that story is over on her blog — PrairieHaven.com). Right now I’m out on the tractor pretty much any chance I can get. The last few days have focused on mowing invasive Aspen trees out of one of the prairies that Marcie has planted. Here’s an action shot taken from my seat on the tractor…

And here’s a picture of the field when I was done later that afternoon — the goal is to mow as little as possible, while still knocking out the little brushy trees. A few years ago i had to mow that whole field, so all the little un-mowed places are definitely a step in the right direction. The last few years of ICANN, there wasn’t enough time to do this right.

I’ve been playing with a new toy — a drone. Here’s a picture of two of them — the big one is the one that takes pictures and video, the little one is the one I’ve been using to teach myself to fly (it’s much better to crash a $40 drone than a $1300 one, although I’ve crashed the big one a bunch of times and it seems to be holding up OK).

And here’s a picture i took from the big drone yesterday, showing the mist moving out of our valley that morning. Marcie has posted a few of the videos on her web site ( http://www.prairiehaven.com/?page_id=24997 )

Then, there’s the continuing battle against frac-sand mining here. All those beautiful bluffs you can see above the mist are the target of the miners — they’d like to peel the tops off of them, extract about 20 meters of sand, and then pile all the stuff back up again (thus completely wrecking the environment around here). I’ve been fighting them since 2010 and we’ve been pretty successful at keeping them out of this area. I’ve been keeping track of a lot of that stuff here on this web site.

There’s been a big change in the makeup of the County Board, mostly due to all the activism that sprouted up around the frac sand issue. One upshot of that is that I’ve just been appointed to a committee that keeps an eye on the land-information system that the County is responsible for (stuff like survey-quality section and quarter-section markers, online property descriptions, deeds, and the like). Just as my interest in ICANN focused on the proper tracking and treatment of domain names, I’m really interested in this land-information stuff. So I still have a hand in the policy-making game.

Another hobby that suffered while I over-committed to ICANN was woodworking. I have a pretty nifty woodworking shop here at the farm and I used to do pretty elaborate projects down there. The last few years of ICANN really chewed into that and I’m looking forward to getting back into it this winter. I went wild about a week ago and started cleaning up the shop and getting things reorganized. Here’s a link to a blog post that describes a typical “big” (all-winter) project. This was a dresser I built for Marcie just before I got caught up in ICANN-madness. You can read the whole blog post (showing some of the intermediate steps) HERE

There’s more, but this is probably enough to give you the picture.

I recently read a quote somewhere that a person should have no more than two hobbies. I’ve got a ways to go to get there, but I think it’s good advice.

I decided it was time to make a little statement and add “always on” encryption to this completely innocuous site. The online equivalent of moving a lemonade stand inside a bank vault. Now when you read about refurbishing my car, or fixing a seed drill, you’ll be doing it over an encrypted connection.

This is another scratchpad post for folks who run an OXS Server and want to use a multi-domain UC (unified communications) SSL certificate. The rest of you can stop here — this is probably the most boring post of all time.

UPDATE – May 2016 – Cloudflare Origin Cert on an OSX Server:

This section describes using Cloudflare Origin Certificates, the following section is the original post where I was installing a Godaddy cert.

I’ve taken to using Cloudflare for all my sites. If you haven’t come across them, I heartily recommend you take a look — they’re a pretty nifty gang. Somewhere along there they added SSL to all the connections from end-users to their servers but that left the link from Cloudflare to my sites unencrypted.

They now support several ways to secure that connection – most of which are free. Free is good, since commercial certs to cover the 20 or so websites I host start to add up. I decided to try implementing their preferred approach where they issue me an “origin cert” (rather than using a self-signed cert which wouldn’t give end-users as much confidence).

Doing that on OSX Server is dead simple. Here are the steps

Create a new cert-request on OSX Server.

We’ll create one for my buddy Foo (at bar.com).

Which results in a cert request that looks like this

Go to Cloudflare (I’m assuming the site is already established there) and submit the cert request. Note that I’ve elected to submit my own CSR. Cloudflare has a pretty interesting process to do it on their own but I decided I needed to generate the CSR within OSX Server in order to have a socket for the cert when it is issued.

Cloudflare generates the cert and provides it in a variety of formats. I elected PEM format and the certificate appears in the window. I copied/pasted/saved that text into a new text file (demo-cert.pem in this example) and saved it to the desktop of the server.

Back to OSX Server now. The CSR shows up as a pending cert in the Certificates window. Double-clicking it results in this screen. Drag the newly-saved demo-cert.pem file into the Certificate Files box and all is complete.

Create a new SSL web site, use the newly-installed cert, point it at the same directory as the port-80 cleartext site, do a redirect to the port-443 site to complete the job. Don’t forget to tick the “allow overrides using .htaccess files” box in Advanced Settings for the site so’s the permalinks work.

Original post – August 2014 – Godaddy Cert

I’m a happy Godaddy customer, so the examples in this post are Godaddy-oriented. But the theory should apply to any Unified Communications (UC) cert vendor.

Single-domain cert

Here is Godaddy’s list of steps for installing a standard single-domain cert. Click here to view the help page these came from. The process for a multi-domain cert is almost the same, but let’s start with “vanilla.”

To Generate a CSR with Mac OS X 10.7-10.9

On the Mac, launch Server.

Click Certificates on the left.

Click +.

Click Next.

Complete the on-screen fields, and then click Next

Either copy the CSR that displays, or click Save and save the file locally.

After you have successfully requested a certificate, you need to install the certificate files we provide on your server.

To Install an SSL Certificate with Mac OS X 10.9

Download your certificate’s files — you can use the files we offer for Mac OS 10.6 (more info).

On the Mac, launch Server.

Click Certificates on the left.

Double-click the common name of the certificate you requested.

Click and drag the certificate and bundle files into the Certificate Files section.

Click OK.

This installs the certificate on your server. To verify its installation, you should see your certificate’s common name listed in the Settings menu.

Multi-domain Unified Communications (UC) cert

There are two things that are different when using a UC cert.

Change #1) Use one CSR to request the cert

Create one certificate signing request (CSR) in the OSX Server app, no matter how many domains are going to be covered by the UC cert. The CSR is just creating a socket into which the certificate is going to be installed by OSX Server and only one such socket is needed.

All of the domains added through Godaddy’s “manage Subject Alternative Names (SAN)” process will work once the cert is installed.

Take care in choosing the domain name when creating the CSR. This will be the “common name” on the cert and is the only domain name that cannot change later. This is the apex of the hierarchy of the cert and is the only one that will appear if site-visitors view the cert.

The picture below is an example of the Godaddy management interface looking at a (prior version of) the cert that secures this page. That cert appears in OSX Server’s list of Trusted Certificates as “server.cloudmikey.com” — that name came from the CSR I generated in OSX Server.

The alternate domains that will also work with this version of the cert are “cloudmikey.com” and “server.haven2.com” but those names are entered at the Godaddy end, NOT through CSR’s from OSX Server.

To restate — just create one CSR and add the rest of the domains through the cert-vendor’s Subject Alternative Name process. In my case, the domain in the CSR was for “server.cloudmikey.com”

Change #2) Add domains to the cert BEFORE downloading it to OSX Server

Don’t download the cert that’s created from the CSR just yet. It will only have the Common Name and doesn’t yet include the other domains that the cert will cover

In the case of the cert shown above, the SANs “cloudmikey.com” and “server.haven2.com” were added through Godaddy’s cert-management interface before I downloaded/installed the cert.

Follow the vendor-provided download/install steps.

Now that the cert has the proper names added, it installs the same way a single-domain cert does (see above).

To recap Godaddy’s instructions: download the OSX 10.6 version of the files, unzip them, click on the pending cert request in Server, drag the two unzipped files into the CSR when it asks for them, click OK and wait a bit while the cert installs.

Verify that the cert covers the domain-names that are needed

Once the cert has been installed, review (double-click) the cert on OSX Server to make sure that all the needed domains are there. The list of domains is in the middle of the cert, each entry is titled “DNS Name” If they’re all there, jump ahead and start assigning the cert to web pages and services.

If the names listed on the installed cert don’t match what’s needed, add the missing domains before using it

Delete the cert from OSX server (it’s OK, it’ll be downloaded again in a jiffy)

Return to Godaddy and modify the Subject Alternative Names (SANs) to get the domains right

Create a new CSR on OSX Server – again, this is just a socket into which the cert will install.

Download/install/verify the cert

Note: The cert will install correctly as long as the domain in the new CSR matches one of the domains covered by the cert. But it will always be appear under the common name on the cert, which confused me. I surprised myself by installing this cert under a “haven2.com” CSR — it installed just fine, but it’s name changed to “server.cloudmikey.com” on the list of Trusted Certificates in OSX Server. Best to avoid confusion by creating the replacement CSR under the common name.

Once the cert is right, associate the cert with web pages and services.

Web pages and services will operate correctly as long as the domain of the web-page or service matches one of the domains on the cert.

It doesn’t matter that the common name of the cert (server.cloudmikey.com in this case) doesn’t match the domain of the web page (haven2.com).

That concludes my report. This web page is running under a later version of that cert — you can see what it looks like by double-clicking the “lock” in the URL bar of your browser.

Renew the cert

A year has passed and it’s time to renew the cert. Here’s a checklist:

Launch the Server app, open the cert that is coming up for renewal, click the “renew” button, generate a CSR.

Renew the cert at the cert-provider, using the newly-generated CSR (this is a copy/paste operation at Godaddy)

Download the certs from the vendor once you have been validated

Open up the “pending” cert again in the Server app and drag the newly-downloaded cert files from the vendor into the box that’s displayed.

There should now be two certs in the Server app list — the current one and the new one. Update the cert configuration to point at the newly-renewed cert.

Test with the new cert and once all is working and verified, delete the expiring one

Samantha Dickinson Tweeted this photo from the ICANN meeting today and tagged it #VolunteerFatigue. I’m living proof.

Let’s say that each of those 7 working groups needs 4 volunteers — that’s almost 30 people. Just from the ccNSO. Just for upcoming working groups. Never mind the GSNO, ALAC, SSAC and GAC. A rough extrapolation puts the total required at over 100 volunteer community members just to handle the IANA/Accountability/Transition work.

ICANN is dangerously thin at the bottom of the bottom-up process. Are there that many people with the experience/time/expertise/will available? What happens to all the other Working Group work in the meantime?